I have noticed a potential security vulnerability with the openemr web directory structure and files being visible to the public. The standard measures (such as Deny all for patient doc directories) does protect patient documents. However, some php forms under contrib allow direct save option to the public.
I would suggest the following additional security measures:
modify virtual host in apache sites-enabled entry to include:
<Directory “/var/www/openemr”>
Options -Indexes
OR: create a .htaccess file under /var/www/openemr simply containing “Options -Indexes”
Either of these two options will make the web directories forbidden to the public.
Would be very nice to have this (and might as well throw in the settings to not allow access to the documents, edi, and era directories and other security settings that make sense). Then could yank the .htaccess file from the documents directory also and just consolidate it into one.
An important thing to note is that some apache default installations do not have the .htaccess use turned on by default. So, still makes sense to let users know how to set apache to use the .htaccess file along with making the changes it in the apache config, which could be documented here: http://www.open-emr.org/wiki/index.php/Securing_OpenEMR